Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
> > Back to the original problem. Is Simon's answer the cause (only > > broken PE headers are detected not broken somewhere else executables)? > > Hopefully Arnaud will be able to catch one soon so we can clear up the > mystery!. > I catched two diffrent samples (NetSky.Y and Sober.gen) not catched by ClamAV but well by TrendMicro VirusWall. I submitted them through the site but I get a message saying 'already recognized'. What should I do to submit them to the team for further analysis ? Arnaud ContactOffice ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter 0.84rc1 not generateing notifications on one server
On Mon, 18 Apr 2005, Nigel Horne wrote: > > -ol local:/var/clamav/clmilter.sock > Try it without the -o option. Didn't help. > Why are you using -o anyway? Machine runs a web server, I want to scan anything possibly generated by a buggy/compromised cgi-script, web mail, etc. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
René Berber <[EMAIL PROTECTED]> wrote: > So the OP has a correct configuration but his setup seems to not > detect broken executables... > > Back to the original problem. Is Simon's answer the cause (only > broken PE headers are detected not broken somewhere else executables)? It really depends on the state of the sample, but it does sound like it's an issue with the content of the executable - rather than it's structure. Hopefully Arnaud will be able to catch one soon so we can clear up the mystery!. Regards, Simon ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Virus-bounce emails
Hi All, We've had some problems with ligitimate bounces coming from qmail that contain one text/plain mime part. This single mime part contains some error information and then the original raw infected mail in MIME format. We scan emails on a part by part basis, so clam was given the text/plain body to scan rather than the full raw bounce mail in it's entirety. Clam (and 2 other virus scanners) failed to find the virus within the bounce body. I understand that the virus is pretty harmless in this state but we would still like to block these virus-bounce messages. So, some questions: 1) How dangerous are these virus-bounces? 2) Should clam detect the virus when given the text/plain main body of the bounce message? 3) Should clam detect the virus when given the entire bounce message? 4) What other mechanisms can we use to drop these virus-bounces? Thanks for any help on this, Chris __ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Mytob.A on Solaris 9
On Monday 18 Apr 2005 22:23, Didi Rieder wrote: > > Didi Rieder <[EMAIL PROTECTED]> wrote: > >> the virus Worm.Mytob.A is not recognized by clamav 0.83 on Sparc > >> Solaris 9. > >> > >> [EMAIL PROTECTED] root]# clamscan --version > >> ClamAV 0.83/837/Sun Apr 17 17:25:32 2005 > >> > >> [EMAIL PROTECTED] root]# clamscan /tmp/ENTIRE_MESSAGE > >> /tmp/ENTIRE_MESSAGE: OK Send me a copy of the email (zipped with the password 'virus', please) and I'll have a look at it on my Sparc machine. > Didi -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Mytob.A on Solaris 9
Quoting Simon <[EMAIL PROTECTED]>: Didi Rieder <[EMAIL PROTECTED]> wrote: the virus Worm.Mytob.A is not recognized by clamav 0.83 on Sparc Solaris 9. [EMAIL PROTECTED] root]# clamscan --version ClamAV 0.83/837/Sun Apr 17 17:25:32 2005 [EMAIL PROTECTED] root]# clamscan /tmp/ENTIRE_MESSAGE /tmp/ENTIRE_MESSAGE: OK Have you tried using --debug to see exactly what the scanner is doing with the message?. It might help us work out what the problem is :o). My first thought would be some problem parsing the email on the Solaris box?. [EMAIL PROTECTED] tmp]# clamscan --debug /tmp/ENTIRE_MESSAGE LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: Loading /usr/local/share/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 486d65d0e35f87e7bca148052cdc6e67 LibClamAV debug: Decoded signature: 486d65d0e35f87e7bca148052cdc6e67 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.db LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.hdb LibClamAV debug: Unpacking /var/tmp//clamav-f1dceb776c66d3a7/main.ndb LibClamAV debug: Loading databases from /var/tmp//clamav-f1dceb776c66d3a7 LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading /var/tmp//clamav-f1dceb776c66d3a7/main.ndb LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 3dcf82e5f59335aa39fe040394125e52 LibClamAV debug: Decoded signature: 3dcf82e5f59335aa39fe040394125e52 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.db LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.hdb LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.ndb LibClamAV debug: Unpacking /var/tmp//clamav-1f063121404bea29/daily.zmd LibClamAV debug: Loading databases from /var/tmp//clamav-1f063121404bea29 LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.db LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.hdb LibClamAV debug: Loading /var/tmp//clamav-1f063121404bea29/daily.ndb LibClamAV debug: Recognized Exim mail file LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0 LibClamAV debug: in mbox() LibClamAV debug: parseEmailFile LibClamAV debug: parseEmailFile: check 'From: [EMAIL PROTECTED]' contMarker 0 LibClamAV debug: parseEmailFile: check 'To: [EMAIL PROTECTED]' contMarker 0 LibClamAV debug: parseEmailFile: check 'Subject: hello' contMarker 0 LibClamAV debug: parseEmailFile: check 'Date: Sun, 17 Apr 2005 20:53:20 +0200' contMarker 0 LibClamAV debug: parseEmailFile: check 'MIME-Version: 1.0' contMarker 0 LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed;' contMarker 0 LibClamAV debug: parseEmailFile: check ' boundary="=_NextPart_000_0010_EC66F712.4DE7C66F"' contMarker 1 LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed; boundary="=_NextPart_000_0010_EC66F712.4DE7C66F"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' multipart/mixed; boundary="=_NextPart_000_0010_EC66F712.4DE7C66F"' LibClamAV debug: messageSetMimeType: 'multipart' LibClamAV debug: mimeArgs = ' boundary="=_NextPart_000_0010_EC66F712.4DE7C66F"' LibClamAV debug: Add arguments ' boundary="=_NextPart_000_0010_EC66F712.4DE7C66F"' LibClamAV debug: parseEmailFile: check 'X-Priority: 3' contMarker 0 LibClamAV debug: parseEmailFile: check 'X-MSMail-Priority: Normal' contMarker 0 LibClamAV debug: parseEmailFile: check 'X-Scanned-By: milter-sender/0.62.837 (mail [129.27.3.25]); Sun, 17 Apr 2005 20:53:53 +0200' contMarker 0 LibClamAV debug: parseEmailFile: check '' contMarker 0 LibClamAV debug: End of header information LibClamAV debug: parseEmailFile: return LibClamAV debug: in parseEmailBody LibClamAV debug: Parsing mail file LibClamAV debug: mimeType = 5 LibClamAV debug: Content-type 'multipart' handler LibClamAV debug: boundaryStart: found =_NextPart_000_0010_EC66F712.4DE7C66F in --=_NextPart_000_0010_EC66F712.4DE7C66F LibClamAV debug: Now read in part 0 LibClamAV debug: Multipart 0: About to parse folded header 'Content-Type: text/plain; charset="Windows-1252"' LibClamAV debug: parseEmailHeader 'Content-Type: text/plain; charset="Windows-1252"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/plain; charset="Windows-1252"' LibClamAV debug: messageSetMimeType: 'text' Li
Re: [Clamav-users] clamav-milter 0.84rc1 not generateing notifications on one server
On Monday 18 Apr 2005 20:22, Christopher X. Candreva wrote: > > I'm running clamav with clamav-milter on two nearly identical sendmail > systems: Solaris 8 on Ultrasparc, compiled with gcc 3.4.0,, sendmail is > 8.13.4 . (The only difference between the two sendmails is one has SMTP AUTH > and SSL, the other doesn't). Clamav-milter runs with these options: > > /usr/local/sbin/clamav-milter \ > --external \ > --max-children=20 \ > --timeout=120 \ > --headers \ > --noreject \ > [EMAIL PROTECTED] \ > --postmaster-only \ > -ol local:/var/clamav/clmilter.sock > > Both systems generate the warnings on 0.83 . On 0.84rc1, one system (the one > with SSL/AUTH) does not generate the warning reports. (virues are still > blocked) I've tried running with --debug, and couldn't find any additional > messages in the mail log. > > I'm a bit stumped as where to look next. I can't see why the SSL/AUTH would > make a difference. Any ideas ? Try it without the -o option. Why are you using -o anyway? > For the curious -- all reports are sent to [EMAIL PROTECTED] , where a > script parses them and loads information into an SQL database that users can > search. > Chris Candreva -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
> So the OP has a correct configuration but his setup seems to not detect broken > executables... > > Back to the original problem. Is Simon's answer the cause (only broken PE > headers are detected not broken somewhere else executables)? > -- > René Berber As the config seems to be OK (or at least not too faulty ;-) , I'll try to catch some of these 'non-detected' examples and submit them for further analysis. Arnaud Huret ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
Stephen Gran wrote: [snip] > This option is by default disabled, and is not part of the set > DefaultScanOptions. If you see Default: enabled, it is a member of > the set. Does that make it more clear? So the OP has a correct configuration but his setup seems to not detect broken executables... Back to the original problem. Is Simon's answer the cause (only broken PE headers are detected not broken somewhere else executables)? -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Mon, Apr 18, 2005 at 02:39:02PM -0500, René Berber said: > Tomasz Kojm wrote: > > On Mon, 18 Apr 2005 14:10:35 -0500 > > René Berber <[EMAIL PROTECTED]> wrote: > > > > > >>does not enable detecting them. Why? because you have to uncomment > >>DisableDefaultScanOptions to enable or disable the other options; even > >>if you have DetectBrokenExecutables uncommented the default value of > >>disabled is in effect... > > > > > > This is wrong. > > >From version 0.83 clamd.conf man page: > >DisableDefaultScanOptions > By default clamd uses scan options recommended by lib- > clamav. This option disables recommended options and > allows you to enable selected options. DO NOT ENABLE IT > unless you know what you are doing. > Default: disabled There is a set of options, DefaultScanOptions, that includes a subset of the total options. All options in the set DefaultScanOptions are enabled by default. The only way to disable them in the 0.8x series is to use the option DisableDefaultScanOptions. The problem is that in the 0.8x series, the options are not boolean (there is no on/off or yes/no argument to most options). So the question arises, how do you disable something that is enabled by default? Commenting it out won't work, since then the library will use the default. The only way currently is with DisableDefaultScanOptions. >ScanPE PE stands for Portable Executable - it's an executable > file format used in all 32-bit versions of Windows oper- > ating systems. This option allows ClamAV to perform a > deeper analysis of executable files and it's also > required for decompression of popular executable packers > such as UPX. > Default: enabled > >DetectBrokenExecutables > With this option clamd will try to detect broken exe- > cutables and mark them as Broken.Executable. > Default: disabled > > What is wrong? To enable detecting broken executables you have to change two > options in the clamd.conf file (not only one as shown in the posted options), > one is uncommenting DisableDefaultScanOptions, the second is uncommenting > DetectBrokenExecutables. This option is by default disabled, and is not part of the set DefaultScanOptions. If you see Default: enabled, it is a member of the set. Does that make it more clear? -- -- | Stephen Gran | Feel disillusioned? I've got some | | [EMAIL PROTECTED] | great new illusions, right here!| | http://www.lobefin.net/~steve | | -- pgpoCQuady9WN.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Tue, 19 Apr 2005 06:22:31 +1000 "Owen" <[EMAIL PROTECTED]> wrote: > I used to get the same thing when I set up Clamav. I will point out > that I run Clamav for Windows and call clamscan.exe, not clamdscan. > I have a pretty low volume mail server so the overhead is ot a > concern to me. The solution for me was to use the --mbox parameter. > I'm unsure if that has any effec when calling clamdscan, but you may > want to try scanning the same message using thse settings. --mbox is no longer needed since 0.80 -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Apr 18 22:26:43 CEST 2005 pgpgT2EmwgXy3.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Mon, 18 Apr 2005 14:39:02 -0500 René Berber <[EMAIL PROTECTED]> wrote: > Tomasz Kojm wrote: > > On Mon, 18 Apr 2005 14:10:35 -0500 > > René Berber <[EMAIL PROTECTED]> wrote: > > > > > >>does not enable detecting them. Why? because you have to uncomment > >>DisableDefaultScanOptions to enable or disable the other options; > >even >if you have DetectBrokenExecutables uncommented the default > >value of >disabled is in effect... > > > > > > This is wrong. > > >From version 0.83 clamd.conf man page: > >DisableDefaultScanOptions > By default clamd uses scan options recommended by lib- > clamav. This option disables recommended options and > allows you to enable selected options. DO NOT ENABLE IT > unless you know what you are doing. > Default: disabled > >ScanPE PE stands for Portable Executable - it's an executable > file format used in all 32-bit versions of Windows oper- > ating systems. This option allows ClamAV to perform a > deeper analysis of executable files and it's also > required for decompression of popular executable packers > such as UPX. > Default: enabled > >DetectBrokenExecutables > With this option clamd will try to detect broken exe- > cutables and mark them as Broken.Executable. > Default: disabled > > What is wrong? To enable detecting broken executables you have to > change two options in the clamd.conf file (not only one as shown in > the posted options), one is uncommenting DisableDefaultScanOptions, > the second is uncommenting DetectBrokenExecutables. No. DisableDefaultScanOptions disables features enabled by default and DetectBrokenExecutables is not. Anyway, DisableDefaultScanOptions will be removed in clamav-devel in the next week. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Apr 18 22:25:36 CEST 2005 pgphBfylgN0DB.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
René Berber wrote: Tomasz Kojm wrote: On Mon, 18 Apr 2005 14:10:35 -0500 René Berber <[EMAIL PROTECTED]> wrote: does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... This is wrong. From version 0.83 clamd.conf man page: DisableDefaultScanOptions By default clamd uses scan options recommended by lib- clamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing. Default: disabled ScanPE PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows oper- ating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. Default: enabled DetectBrokenExecutables With this option clamd will try to detect broken exe- cutables and mark them as Broken.Executable. Default: disabled What is wrong? To enable detecting broken executables you have to change two options in the clamd.conf file (not only one as shown in the posted options), one is uncommenting DisableDefaultScanOptions, the second is uncommenting DetectBrokenExecutables. What is wrong? Your explanation is wrong, thats what. You only have to uncomment DetectBrokenExecutables to enable the option. The default is disabled. To enable it, uncomment it. You are thinking about options that are by default enabled but commented out. To disable these options, this is where you must enable DisableDefaultScanOptions. Your thinking is correct, but youre applying it to the wrong circumstance. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
>As we are experimenting ClamAV, we still maintain during evaluation period >a second (and historic) defense >line with TrendMicro VirusWall which we >plan to abandon shortly. I observed that VirusWall (the second >line >defense) reported 8 hits on (SomeFool) Worm.Netsky.P .Y .and .W. I used to get the same thing when I set up Clamav. I will point out that I run Clamav for Windows and call clamscan.exe, not clamdscan. I have a pretty low volume mail server so the overhead is ot a concern to me. The solution for me was to use the --mbox parameter. I'm unsure if that has any effec when calling clamdscan, but you may want to try scanning the same message using thse settings. cheers, Owen This message was scanned by ClamAV antivirus for Windows. Although no virus was found the recipient should exercise due care. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
Tomasz Kojm wrote: > On Mon, 18 Apr 2005 14:10:35 -0500 > René Berber <[EMAIL PROTECTED]> wrote: > > >>does not enable detecting them. Why? because you have to uncomment >>DisableDefaultScanOptions to enable or disable the other options; even >>if you have DetectBrokenExecutables uncommented the default value of >>disabled is in effect... > > > This is wrong. >From version 0.83 clamd.conf man page: DisableDefaultScanOptions By default clamd uses scan options recommended by lib- clamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing. Default: disabled ScanPE PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows oper- ating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. Default: enabled DetectBrokenExecutables With this option clamd will try to detect broken exe- cutables and mark them as Broken.Executable. Default: disabled What is wrong? To enable detecting broken executables you have to change two options in the clamd.conf file (not only one as shown in the posted options), one is uncommenting DisableDefaultScanOptions, the second is uncommenting DetectBrokenExecutables. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter 0.84rc1 not generateing notifications on one server
I'm running clamav with clamav-milter on two nearly identical sendmail systems: Solaris 8 on Ultrasparc, compiled with gcc 3.4.0,, sendmail is 8.13.4 . (The only difference between the two sendmails is one has SMTP AUTH and SSL, the other doesn't). Clamav-milter runs with these options: /usr/local/sbin/clamav-milter \ --external \ --max-children=20 \ --timeout=120 \ --headers \ --noreject \ [EMAIL PROTECTED] \ --postmaster-only \ -ol local:/var/clamav/clmilter.sock Both systems generate the warnings on 0.83 . On 0.84rc1, one system (the one with SSL/AUTH) does not generate the warning reports. (virues are still blocked) I've tried running with --debug, and couldn't find any additional messages in the mail log. I'm a bit stumped as where to look next. I can't see why the SSL/AUTH would make a difference. Any ideas ? For the curious -- all reports are sent to [EMAIL PROTECTED] , where a script parses them and loads information into an SQL database that users can search. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Mon, 18 Apr 2005 14:10:35 -0500 René Berber <[EMAIL PROTECTED]> wrote: > does not enable detecting them. Why? because you have to uncomment > DisableDefaultScanOptions to enable or disable the other options; even > if you have DetectBrokenExecutables uncommented the default value of > disabled is in effect... This is wrong. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Apr 18 21:19:21 CEST 2005 pgpsgkX0FyHMA.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
Arnaud Huret wrote: If detecting broken executables is the problem, then: [snip] > #DisableDefaultScanOptions > > ## > ## Executable files > ## > > ScanPE > DetectBrokenExecutables [snip] does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] CVS and snapshot-20050417
On Mon, 18 Apr 2005, Trog wrote: ; On Mon, 2005-04-18 at 13:50 +0300, Odhiambo Washington wrote: ; > I am always running on FreeBSD (4.11 and 5.4) if that matters. ; > I am only wondering if anyone has managed to successfully compile ; > Clamav from CVS, or even the snapshot-20050417 at all. ; > ; > My normal built methods do fail when I do 'make'. ; > ; > I don't see anything in the ChangeLog to help me get out of this. ; > ; ; Run autoreconf Is this something that has changed and will stay this way ? I don't currently have the auto utilities on my Sun servers and don't really want to add and have to maintain them. If it's just a temporary mixup in CVS then I'll just wait. Thanks, Andy ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamscan and CPU usage
[EMAIL PROTECTED] wanted us to know: >Hello > >Please, we have seen this in one of our servers: > >qscand 20687 13.4 0.0 19528 936 ?RApr13 389:37 >/usr/local/clamav/bin/clamscan --verbose --debug >/var/spool/qmailscan/tmp/servername111342211948731875 Turn off --debug. >Any one have seen this issue? Is the only server of about 200 that is >behaving this way. Did you compile this on that box or are you using someone else's rpms? If rpm, I would download the srpm and rebuild it on that box. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.8.1-24mdkenterprise 3 users, load average: 1.14, 1.32, 1.43 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.83 potentially not catching some NetSky/SomeFool virus
Arnaud Huret <[EMAIL PROTECTED]> wrote: > As we are experimenting ClamAV, we still maintain during evaluation > period a second (and historic) defense line with TrendMicro > VirusWall which we plan to abandon shortly. I observed that > VirusWall (the second line defense) reported 8 hits on (SomeFool) > Worm.Netsky.P .Y .and .W. > > 'DetectBrokenExecutables' is activated. (Logfiles are below). Sometimes one scanner will pick up broken malware when another fails, it all depends if the section used by a particular scanner for a signature has been corrupted or not. In my experience Clam tends to pick up a lot of damaged malware missed by the 'big gun' commercial scanners like Symantec and Kaspersky. Clam checks the PE header etc for obvious signs of damage, however if the corruption lies in the actual code 'DetectBrokenExecutables' detection will fail (this is based on my reading of pe.c). Regards, Simon ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Mytob.A on Solaris 9
Didi Rieder <[EMAIL PROTECTED]> wrote: > the virus Worm.Mytob.A is not recognized by clamav 0.83 on Sparc > Solaris 9. > > [EMAIL PROTECTED] root]# clamscan --version > ClamAV 0.83/837/Sun Apr 17 17:25:32 2005 > > [EMAIL PROTECTED] root]# clamscan /tmp/ENTIRE_MESSAGE > /tmp/ENTIRE_MESSAGE: OK Have you tried using --debug to see exactly what the scanner is doing with the message?. It might help us work out what the problem is :o). My first thought would be some problem parsing the email on the Solaris box?. Regards, Simon ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] remove scanner serve
On Friday 15 Apr 2005 23:46, Carl Thompson wrote: > > *** REPLY SEPARATOR *** > > On 4/15/2005 at 5:49 PM Nigel Horne wrote: > > >> *** REPLY SEPARATOR *** > >> > >> On 4/15/2005 at 3:58 PM Nigel Horne wrote: > >> > >> >On Friday 15 Apr 2005 15:56, Carl Thompson wrote: > >> >> > >> >> *** REPLY SEPARATOR *** > >> >> > >> >> On 4/14/2005 at 10:24 PM Nigel Horne wrote: > >> >> > >> >> >> Okay this is what i have for clamav-milter on remote server > >> >> > > >> >> >Remote to sendmail? Or remote to clamd? Or both? > >> >> > > >> >> >> CLAMAV_FLAGS="-qlm5 --external --server=xxx.xxx.xxx.xxx > >> >> >> local:/var/run/clamav/clmilter.sock" > >> >> >> > >> >> >> and I have to run clamd on that server so that clamav uses it > >> >> >> externally to scan for virus (if i understand this correctly) > >> >> > > >> >> >I presume by "that server" you mean the server running clamav-milter > >> >> > > >> >> >> > >> >> >> and on my primary server i did the same thing and clamav creates > >> >> >> local socket and scans thru clamd on remote server. > >> >> > > >> >> >I presume by "primary server" you mean the server running > >> clamd, though > >> >> >I don't understand what you mean by you "did the same thing"? > >> Why would > >> >> >you do the same on both machines? Surely one runs clamd and one > >> >> >runs clamav-milter? > >> >> > > >> >> >> however if i use > >> >> >> INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, > >> >T=S:4m;R:4m')dnl > >> >> >> (machine name chaned to correct machine of course) > >> >> > > >> >> >By "machineb" do you mean the same as "primary server" above? Or the > >> >> >same as "that server"? > >> >> > > >> >> >> I still get socket errors in maillog about attempting to scan and > >> >> >> clamd is on the remote socket not clamav-milter on the > >> remote socket. > >> >> > > >> >> >> I'm sure i'm doing something simple wrong but I sure can't figure > >it > >> >out. > >> >> > > >> >> >Sorry, but I can't figure out what you're trying to do and what > >you've > >> >> >tried to set up. > >> >> > > >> >> >The following scenarios are possible: > >> >> >1) sendmail, clamav-milter and clamd all on one machine > >> >> >2) sendmail and clamav-milter on one machine, clamd on another > >machine > >> >> >3) sendmail on one machine, clamav-milter and clamd on another > >machine > >> >> >4) sendmail, clamav-milter and clamd all on separate machines > >> >> >5) sendmail and clamav-milter on one machine, clamd running > >> on multiple > >> >> >machines load balanced > >> >> >6) sendmail and clamav-milter on separate machines, clamd running on > >> >> >multiple machines load balanced, which may include the same machines. > >> >> > > >> >> >Please be very specific about what you're trying to achieve. I guess > >> >> >it's either scenario 2 or scenario 3? > >> >> I can get scenario 2 to work without a problem and this is how I did > >it > >> >for some time before .82 (when clamd scanning was integrated into > >> >clamav-milter and you no longer needed to run clamd just for > >> clamav-milter) > >> >> > >> >> The problem I have is scenario 3. > >> >> > >> >> machine a has sendmail on it > >> >> machine b is a low use box so I would like to run clamav-milter and > >> >clamd (if its necessary now) on it and have machine a connect to > >> >clamav-milter on machine b. however I am unable to get clamav-milter to > >> >listen on a TCP port on machine b > >> > > >> >Machine a configure looks correct: > >> > INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, > >> T=S:4m;R:4m')dn > >> > > >> >On machineb try starting clamav-milter thus (based on the options you > >> >gave, and ensure that clamd > >> >is running on machineb first): > >> > CLAMAV_FLAGS="-qlm5 --external inet:3311" > >> > > >> >> Carl > >> > > >> >-Nigel > >> > > >> > >> As a final update to this little endeavor this is what I did > >> > >> on the mail server i used > >> INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn > >> > >> on the scanning server i did the following > >> > >> CLAMAV_FLAGS="-qlm5 inet:3311 --server xxx.xxx.xxx.xxx" > >> > >> I tried it with --external and that worked fine if I had clamd > >> running (as it should be) so I figured i would try it internal > >> and that worked fine. > >> > >> I did however have to specify --server because without it it > >> bound to 3311 of 127.0.0.1 > > > >Again I need more information here. When you say xxx.xxx.xxx.xxx, > >what IP address did you use? Furthermore what do you have in your > >tcpwrappers files (/etc/hosts.allow and /etc/hosts.deny). > > > >--server is to do with the link clamav-milter<->clamd, where as the > >inet:3311 is to do with the link sendmail<->clamav-milter, so adding > >--server should have no effect on the incoming as you've stated. I > >need more information to see what's going on with the bind you mention. > > > >> Carl > > > >-Nigel > > okay this is what I have > > server A (se
Re: [Clamav-users] CVS and snapshot-20050417
On Mon, 2005-04-18 at 13:50 +0300, Odhiambo Washington wrote: > I am always running on FreeBSD (4.11 and 5.4) if that matters. > I am only wondering if anyone has managed to successfully compile > Clamav from CVS, or even the snapshot-20050417 at all. > > My normal built methods do fail when I do 'make'. > > I don't see anything in the ChangeLog to help me get out of this. > Run autoreconf -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] CVS and snapshot-20050417
I am always running on FreeBSD (4.11 and 5.4) if that matters. I am only wondering if anyone has managed to successfully compile Clamav from CVS, or even the snapshot-20050417 at all. My normal built methods do fail when I do 'make'. I don't see anything in the ChangeLog to help me get out of this. 1$ make make all-recursive Making all in libclamav "Makefile", line 406: Could not find ./.deps/binhex.Plo "Makefile", line 407: Could not find ./.deps/blob.Plo "Makefile", line 408: Could not find ./.deps/cabd.Plo "Makefile", line 409: Could not find ./.deps/chmunpack.Plo "Makefile", line 410: Could not find ./.deps/cvd.Plo "Makefile", line 411: Could not find ./.deps/dsig.Plo "Makefile", line 412: Could not find ./.deps/filetypes.Plo "Makefile", line 413: Could not find ./.deps/fsg.Plo "Makefile", line 414: Could not find ./.deps/htmlnorm.Plo "Makefile", line 415: Could not find ./.deps/is_tar.Plo "Makefile", line 416: Could not find ./.deps/line.Plo "Makefile", line 417: Could not find ./.deps/lzxd.Plo "Makefile", line 418: Could not find ./.deps/matcher-ac.Plo "Makefile", line 419: Could not find ./.deps/matcher-bm.Plo "Makefile", line 420: Could not find ./.deps/matcher.Plo "Makefile", line 421: Could not find ./.deps/mbox.Plo "Makefile", line 422: Could not find ./.deps/md5.Plo "Makefile", line 423: Could not find ./.deps/message.Plo "Makefile", line 424: Could not find ./.deps/msexpand.Plo "Makefile", line 425: Could not find ./.deps/mszipd.Plo "Makefile", line 426: Could not find ./.deps/ole2_extract.Plo "Makefile", line 427: Could not find ./.deps/others.Plo "Makefile", line 428: Could not find ./.deps/pe.Plo "Makefile", line 429: Could not find ./.deps/petite.Plo "Makefile", line 430: Could not find ./.deps/qtmd.Plo "Makefile", line 431: Could not find ./.deps/readdb.Plo "Makefile", line 432: Could not find ./.deps/rebuildpe.Plo "Makefile", line 433: Could not find ./.deps/scanners.Plo "Makefile", line 434: Could not find ./.deps/snprintf.Plo "Makefile", line 435: Could not find ./.deps/special.Plo "Makefile", line 436: Could not find ./.deps/str.Plo "Makefile", line 437: Could not find ./.deps/strc.Plo "Makefile", line 438: Could not find ./.deps/strrcpy.Plo "Makefile", line 439: Could not find ./.deps/system.Plo "Makefile", line 440: Could not find ./.deps/table.Plo "Makefile", line 441: Could not find ./.deps/text.Plo "Makefile", line 442: Could not find ./.deps/tnef.Plo "Makefile", line 443: Could not find ./.deps/unrar.Plo "Makefile", line 444: Could not find ./.deps/unrar15.Plo "Makefile", line 445: Could not find ./.deps/unrar20.Plo "Makefile", line 446: Could not find ./.deps/unrarcmd.Plo "Makefile", line 447: Could not find ./.deps/unrarfilter.Plo "Makefile", line 448: Could not find ./.deps/unrarppm.Plo "Makefile", line 449: Could not find ./.deps/unrarvm.Plo "Makefile", line 450: Could not find ./.deps/untar.Plo "Makefile", line 451: Could not find ./.deps/upx.Plo "Makefile", line 452: Could not find ./.deps/vba_extract.Plo "Makefile", line 453: Could not find ./.deps/zzip-dir.Plo "Makefile", line 454: Could not find ./.deps/zzip-err.Plo "Makefile", line 455: Could not find ./.deps/zzip-file.Plo "Makefile", line 456: Could not find ./.deps/zzip-info.Plo "Makefile", line 457: Could not find ./.deps/zzip-io.Plo "Makefile", line 458: Could not find ./.deps/zzip-stat.Plo "Makefile", line 459: Could not find ./.deps/zzip-zip.Plo make: fatal errors encountered -- cannot continue *** Error code 1 -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ "Just remember, it all started with a mouse." -- Walt Disney ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] version info
On Mon, 18 Apr 2005 16:15:15 +0800 cc wrote: > Hi, > > I need a bit of a clarification regarding > clamscan --version. I don't know if I'm going > crazy or what, but I did a clamscan --version, > and it showed yesterday's date, which I assumed > it meant the date of compilation. > > But I *don't* even remember compiling it yeserday. > > ClamAV 0.83/837/Sun Apr 17 23:25:32 2005 This is the date if the "daily.cvd" which is version 837. --Frank Elsner ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] version info
Hi, I need a bit of a clarification regarding clamscan --version. I don't know if I'm going crazy or what, but I did a clamscan --version, and it showed yesterday's date, which I assumed it meant the date of compilation. But I *don't* even remember compiling it yeserday. ClamAV 0.83/837/Sun Apr 17 23:25:32 2005 Now I do recall reading something about auto updates, is this what I am seeing? Thanks. Edmund. ___ http://lurker.clamav.net/list/clamav-users.html
